If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

One Time Passwords Tutorial for SuSE Linux.

Dear AO.

Today i read a thread posted by sweet_angel with the topic “One time passwords”. This is something that i have not seen on AO yet so far, so i decided to write a simple tutorial about it, on what it is, and how to set it up.

Unfortunately my tutorial is based on SuSE Linux, so i'm not very sure of the differences to other *nix systems. The software needed for this is on my SuSE distribution Cds. I hope this comes in handy for some people.

One Time Passwords By InStRoNiCs.

One time passwords (aka OTP) are passwords that are valid only for one login procedure. A user therefore get a list with several one time passwords that has to be renewed once all the passwords on this list are used up. An example of where to find this type of security are banks, which use this for PINs and TANs. If an attacker was able to capture the packets containing the login information (encrypted), and would try to resend that packet, it would be useless to him, since the login information (password) is only valid for one use. For SuSE Linux there are 2 solutions for the one time passwords, and both work as PAM modules.

OPIE (One Time Passwords In Everything)

OPIE is an implementation for OTP standards, which is also described in RFC 1938. OPIE is compatible with S/Key implementation for Linux from Olaf Kirch. If you wish to use OPIE Which uses PAM you would need the following packages.

Opie-2.32.tar.gz

pam_opie-0.21.tar.gz

The archive opie-2.32.tar.gz contains the current stable OPIE version 2.32. Included is also the OPIE library, which makes OTP authentication possible with your programs (can be setup to work in any application that requires authentication). The system programs from OPIE 2.32 for example work for login, ftpd etc... using this library. This PAM variant from OPIE was also implemented on the base of this library.

The archive pam_opie-0.21.tar.gz contains the OPIE library version 2.32 and the OPIE PAM module.

When extracting the archives, 2 folders are created (opie-2.32 and pam_opie) and filled.

After this , the PAM-Module becomes available in /lib/security/pam_opie.so . Before you can activate pam_opie.so you have to setup the OPIE client programs and the OPIE administrations tools that are included in OPIE 2.32.

(I would like to remind you to prefer a “make install” instead of using an rpm package.)

Since you should use pam_opie, there is no need for the system programs from OPIE. Due to this, The Makefile template will have to be modified a little bit.

The pass phrase is the secret key from the user bubu, and should be a minimum of 10 characters, and can now be entered here. After you have entered your secret pass phrase (hidden), opiekey will give you the answer (response)

With this, pam_Unix will be deactivated by commenting it, and pam_opie will be activated instead. From this point on, user bubu can not login with his normal password, but only using the OTP (which we have activated with opiepasswd. It is advisable to activate user root first.

For OTP logins we now need the one time passwords or an OTP calculator. The program opiekey is an OTP calculator.

Always remember that if there is a list with the one time passwords and it gets lost, the system administrator has to be notified ASAP. Its not a problem to create a new password list.

I had a hard time writing this tutorial, since all my source of information was in german, so i hope the translation is readable (SuSE is by default a german system). Forgive me for any typos, i have tried to avoid them as much as possible. I hope this tutorial will help you get started on the issue "one time passwords".

Good luck.

Oh, one more thing....i mentioned that the first user to be added to the PAM list should be root. I recomend you make a BACKUP of everything before applying this. It can lock you out of your system if you should make a mistake. Otherwise for me it all worked fine. (Remeber, that all this has to be done as user root )

Cheers everyone

//addon//

Please keep in mind that this software is on my SuSE 7.3, so some version might be outdated. The procedures are the same, just make sure that you get any updated versions needed.